Formal specification of role-based security policies for clinical information systems

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Formal specification of role-based security policies for clinical information systems

Full text

Pdf (196 KB)

Source

Symposium on Applied Computing archive
Proceedings of the 2005 ACM symposium on Applied computing table of contents

Santa Fe, New Mexico

SESSION: Computer security (SEC) table of contents

Pages: 332 - 339

Year of Publication: 2005

ISBN:1-58113-964-0

Authors

Karsten Sohr	Universität Bremen, Bielefeld, Germany
Michael Drouineaud	Universität Bremen, Bielefeld, Germany
Gail-Joon Ahn	University of North Carolina at Charlotte Charlotte, NC

Sponsor

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 18, Downloads (12 Months): 171, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1066677.1066756 What is a DOI?

ABSTRACT

Many healthcare organizations have transited from their old and disparate business models based on ink and paper to a new, consolidated ones based on electronic patient records. There are significant demands on secure mechanisms for collaboration and data sharing among clinicians, patients and researchers through clinical information systems. In order to fulfil the high demands of data protection in such systems, we believe that access control policies play an important role to reduce the risks to confidentiality, integrity, and availability of medical data. In this paper, we attempt to formally specify access control policies in clinical information systems which are highly dynamic and complex environments. We leverage characteristics of temporal linear first-order logic to cope with dynamic access control policies in clinical information systems.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Tuomas Aura, Distributed access-rights management with delegation certificates, Secure Internet programming: security issues for mobile and distributed objects, Springer-Verlag, London, 2001
	2	E. Barka , R. Sandhu, Framework for role-based delegation models, Proceedings of the 16th Annual Computer Security Applications Conference, p.168, December 11-15, 2000
	3	Elisa Bertino , Piero Andrea Bonatti , Elena Ferrari, TRBAC: a temporal role-based access control model, Proceedings of the fifth ACM workshop on Role-based access control, p.21-30, July 26-28, 2000, Berlin, Germany [doi>10.1145/344287.344298]
	4	Elisa Bertino , Elena Ferrari , Vijay Atluri, The specification and enforcement of authorization constraints in workflow management systems, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.65-104, Feb. 1999 [doi>10.1145/300830.300837]
	5	Michael Drouineaud , Maksym Bortin , Paolo Torrini , Karsten Sohr, A First Step Towards Formal Verification of Security Policy Properties for RBAC, Proceedings of the Quality Software, Fourth International Conference on (QSIC'04), p.60-67, September 08-10, 2004 [doi>10.1109/QSIC.2004.2]
	6	EU, Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Directive 95/46/EC. http://www.privacy.org/pi/intl_orgs/ec/eudp.html, 1995.
	7	D. Ferraiolo, D. Gilbert, and N. Lynch, An examination of federal and commercial access control policy needs, Proc. of the NIST-NCSC Nat. (U. S.) Comp. Security Conference, 1993, pp. 107--116.
	8	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001 [doi>10.1145/501978.501980]
	9	Deutsches Institut für Medizinische Dokumentation und Information, Gesundheitskarte. http://www.dimdi.de/de/ehealth/karte/index.htm, 2004.
	10	M. Gasser and E. McDermott, An architecture for practical delegation in a distributed system, Proc. IEEE Symposium on Research in Security and Privacy, 1990, pp. 20--30.
	11	Christos K. Georgiadis , Ioannis Mavridis , George Pangalos , Roshan K. Thomas, Flexible team-based access control using contexts, Proceedings of the sixth ACM symposium on Access control models and technologies, p.21-27, May 2001, Chantilly, Virginia, United States [doi>10.1145/373256.373259]
	12	H. M. Gladney, Access control for large collections, ACM Transactions on Information Systems (TOIS), v.15 n.2, p.154-194, April 1997 [doi>10.1145/248625.248652]
	13	V. D. Gligor, S. I. Gavrila, and D. Ferraiolo, On the formal definition of separation-of-duty policies and their composition, 1998 IEEE Symposium on Security and Privacy (SSP '98), IEEE, May 1998, pp. 172--185.
	14	Robert Goldblatt, Logics of time and computation, Center for the Study of Language and Information, Stanford, CA, 1987
	15	Åsa Hagström , Sushil Jajodia , Francesco Parisi-Presicce , Duminda Wijesekera, Revocations-A Classification, Proceedings of the 14th IEEE Workshop on Computer Security Foundations, p.44, June 11-13, 2001
	16	Zohar Manna , Nikolaj Bjørner , Anca Browne , Edward Y. Chang , Michael Colón , Luca de Alfaro , Harish Devarajan , Arjun Kapur , Jaejin Lee , Henny Sipma , Tomás E. Uribe, STeP: The Stanford Temporal Prover, Proceedings of the 6th International Joint Conference CAAP/FASE on Theory and Practice of Software Development, p.793-794, May 22-26, 1995
	17	Zohar Manna , Amir Pnueli, Temporal verification of reactive systems: safety, Springer-Verlag New York, Inc., New York, NY, 1995
	18	T. Mossakowski, M. Drouineaud, and K. Sohr, A temporal-logic extension of role-based access control covering dynamic separation of duties, Proc. of TIME-ICTL 2003), Cairns, Queensland, Australia, July 8--10 2003.
	19	M. J. Nash and K. R. Poland, Some conundrums concerning separation of duty, Proc. IEEE Symposium on Research in Security and Privacy, 1990, pp. 201--207.
	20	Isabelle/HOL: a proof assistant for higher-order logic, Springer-Verlag, London, 2002
	21	Sejong Oh , Ravi Sandhu, A model for role administration using organization structure, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA [doi>10.1145/507711.507737]
	22	Ravi Sandhu , Venkata Bhamidipati , Qamar Munawer, The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.105-135, Feb. 1999 [doi>10.1145/300830.300839]
	23	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845 ]
	24	Richard Simon , Mary Ellen Zurko, Separation of Duty in Role-based Environments, Proceedings of the 10th Computer Security Foundations Workshop (CSFW '97), p.183, June 10-12, 1997
	25	Longhua Zhang , Gail-Joon Ahn , Bei-Tseng Chu, A rule-based framework for role-based delegation and revocation, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.404-441, August 2003 [doi>10.1145/937527.937530]